Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

IOCs:

  • 23.253.246.169 – standiferplace.org – Compromised Site
  • 74.208.192.129 – gissendannerkudosta.cyclemanagementassociates.org – Rig EK
  • 65.49.8.96 – CryptMIC post-infection callback traffic via TCP port 443

Hashes:

  1. SHA256: eb68b4c9ef550aa2cb0304ee866cf65cb9df0dacaeb37f89417ab8c3eacbe7ee
    File name: RigEK Landing Page.html
  2. SHA256: cc1002a14db7ccf59b7320b49a5dfc0995a6ad6895bfaab4de1a296756020fe6
    File name: RigEK Flash Exploit.swf
  3. SHA256: bd98b94ec01df8a3391af1203f662225a4734c154ee58a739cd4af5328ff0823
    File name: IIj6sFosp
  4. SHA256: a14720c38e5317d2616697d16a8c46532ddf6a183bc1d3276cbf936d9bba5e4d
    File name: radD66CA.tmp.exe

Traffic:

traffic

Infection Chain:

The infection chain starts off with the pseudoDarkleech script redirecting the host to the Rig Exploit Kit landing page. Below is the injected script found within the iframe tags:

compromised-site-showing-pseudodarkleech-script

Once the browser loads the compromised site the iframe generates a GET request from the host to the Rig Exploit Kit landing page:

rigek-landing-page

The Rig Exploit Kit landing page contains malicious code that when successfully loaded will initiate another GET request for a Flash exploit:

flash-exploit

And finally we see the GET request for the payload via application/x-msdownload:

payload

As with my previous post found HERE I didn’t get compromised on my first run. Initially, the first file that was dropped in %TEMP% was a .dll. It wasn’t until my second run when an executable named “radD66CA.tmp.exe” was dropped that my host was compromised.

Proceeding radD66CA.tmp.exe dropping in %TEMP% was a file named “IIj6sFosp”. This file deletes itself before the .dll’s and .exe’s are dropped. Here is a look at IIj6sFosp:

js

Here are the files located in %TEMP%:

temp-files

We can see that ransom notes (Bitmap, HTML, and Text) are dropped in various folder and on the Desktop:

desktop

My recommendation is to block both the Rig Exploit Kit IP and post-infection IP at your perimeter firewall(s).

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: